Shuttle Risk Progression: Use of the Shuttle Probabilistic Risk Assessment (PRA) to Show Reliability 

Growth 


It is important to the Space Shuttle Program (SSP), as well as future manned spaceflight programs, to 
understand the early mission risk and progression of risk as the program gains insights into the 
integrated vehicle through flight. The risk progression is important to the SSP as part of the 
documentation of lessons learned. The risk progression is important to future programs to understand 
reliability growth and the first flight risk. This analysis uses the knowledge gained from 30 years of 
operational flights and the current Shuttle PRA to calculate the risk of Loss of Crew and Vehicle (LOCV) 
at significant milestones beginning with the first flight. Key flights were evaluated based upon historical 
events and significant re-designs. The results indicated that the Shuttle risk tends to follow a step 
function as opposed to following a traditional reliability growth pattern where risk exponentially 
improves with each flight. In addition, it shows that risk can increase due to trading safety margin for 
increased performance or due to external events. Due to the risk drivers not being addressed, the risk 
did not improve appreciably during the first 25 flights. It was only after significant events occurred such 
as Challenger and Columbia, where the risk drivers were apparent, that risk was significantly improved. 
In addition, this paper will show that the SSP has reduced the risk of LOCV by almost an order of 
magnitude. 

It is easy to look back after 30 years and point to risks that are now obvious, however; the key is to use 
this knowledge to benefit other programs which are in their infancy stages. One lesson learned from 
the SSP is understanding risk drivers are essential in order to considerably reduce risk. This will enable 
the new program to focus time and resources on identifying and reducing the significant risks. A 
comprehensive PRA, similar to that of the Shuttle PRA, is an effective tool quantifying risk drivers if 
support from all of the stakeholders is given. 
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I. Introduction 


I T is important to the Space Shuttle Program (SSP), as well as future manned spaceflight programs, to understand 
the early mission risk and progression of risk as the program gains insights into the integrated vehicle through 
flight. The risk progression is important to the SSP as part of the documentation of lessons learned. The risk 
progression is important to future programs to understand reliability growth and the first flight risk. This analysis 
uses the knowledge gained from 30 years of operational flights and the current Shuttle PRA (SPRA) to calculate the 
risk of Loss of Crew and Vehicle (LOCV) at significant milestones beginning with the first flight. 

A. Key Objectives 

This analysis has two key objectives. First is to provide the SSP with a historical risk progression which will 
highlight major Shuttle modifications and their impact on risk. Second is to provide a new program a glimpse into 
how a program which has operated for 30 years has gained insight into the risk drivers through flight. 

B. Scope 

Estimating the Shuttle Risk for each flight is not feasible in the timeframe available, nor is it necessary because 
there may not be a noticeable difference between every flight. The following flights were chosen based upon when 
significant milestones occurred: 

• STS-1 - First Flight 

• STS-5 - First “operational” Shuttle mission. Ejection Seats Disabled 
• STS-41B - Flight following STS-9 Auxiliary Power Unit (APU) fire 
• STS-5 1L - Challenger 

• STS-26 - Return to Flight after Challenger 

• STS-29 - Post STS-27 Solid Rocket Booster (SRB) nose cap Thermal Protection System (TPS) loss 
• STS-49 - Drag Chute introduced, Endeavour enters service 

• STS-77 - Block 1 and 1A engines, New High Pressure Oxidizer Turbopump (HPOTP) 

• STS-86 - First flight of new External Tank (ET) foam application process 

• STS-89 - Earliest to combine Block 1IA engines, New Large Throat Main Combustion Chamber (LTMCC) 

• STS-103 - First flight of ET foam venting 

• STS-1 10 - First full Block II cluster, New High Pressure Fuel Turbopump (HPFTP) 

• STS-1 14 - Return to Flight after Columbia 
• STS-133 - Current Mission Risk 

In order to ensure that the risk differences are not about a particular mission objective and to make the analysis 
easier to accomplish the analysis models equivalent missions. In other words, the analysis models the current 
mission with the vintage vehicle. Since the model is based upon Iteration 3.3 of the SPRA 5 the mission duration and 
Micro-meteoroid Orbital Debris (MMOD) risk are based upon STS-1 19. Earlier missions although short in duration 
were dominated by risks which were independent of mission length (e.g. Reusable Solid Rocket Motor (RSRM), 
Ascent Debris). 

No model logic changes have been made to the Iteration 3.3 model. Inspection, repair, and crew rescue 
improvements made after the Columbia accident are turned off via existing model change sets for the flights prior to 
the Columbia accident. 


5 NASA Internal Document, Thigpen, Eric, Shuttle PRA Iteration 3.3 Changes Notebook, NASA, Johnson Space 
Center, Safety and Mission Assurance Directorate, Shuttle and Exploration Division, Analysis Branch, Houston, 
Texas, November 2010 
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C. Limitations 

As previously mentioned this analysis uses the SPRA and therefore is subjected to the same limitations. A 
complete description of the SPRA limitations can be found in the Iteration 3.0 integration notebook 6 . In addition to 
the general SPRA limitations the following limitations specific to this analysis have been identified: 

• The analysis is based upon the current understanding of Shuttle risk looking back after 30 years of 
operating history and therefore does not address any currently unknown risks. 

• As stated previously the analysis does not model a particular mission as it was flown, therefore difference 
between missions are the result of vehicle differences and not differences between mission objectives. A 
particular mission as flown may have a higher or lower risk that is estimated. 

• The analysis can be used to inform a new program of the general trend of reliability growth for a complex 
high risk vehicle but specific values should not be used since a new program will have its own lessons to 
learn and may be starting at a different point. 


II. Methodology 

The following subsections will describe the methodology used to produce the Shuttle Risk Progression. 

A. Approach 

In the Shuttle PRA, failures which have been mitigated through redesign or process improvements are 
discounted. The Shuttle Risk Progression analysis approach is to remove these discounts in order to estimate the risk 
prior to the improvements. For risks which do not in general fall into this category, such as Ascent Debris or RSRM, 
early flight risk estimates are specifically modeled. 

1. Discounted Data 

In the Shuttle PRA the functional failure rates of higher risk components (those that showed up in the top 99% of 
the cut sets) use generic failure rates which are Bayesian updated with Shuttle specific data. Applicable component 
failures are discounted based upon the type and effectiveness of mitigation implemented, and time of 
implementation. Details associated with how failures have been discounted can be found in the Iteration 3.0 
Functional Data Notebook 7 8 . The Shuttle risk progression functional data was Bayesian updated. This data was 
reviewed and discounts were taken for design changes which were evaluated and implemented. Separate failure 
rates/probabilities were also calculated based upon removing the discounts. Unique data events such as tires and 
icicles forming during water dumps were evaluated separately and flight effectivities were assigned. These events 
are considered unique because they do not follow the standard Bayesian updating process. 

The phenomenological data has some similarity to the functional data in that the discounts to historical failures 
based upon redesigns or process changes have been removed. However, unlike the functional database the Shuttle 
Phenomenological Leak Analysis Tool (SPLAT) needs to be run in order to get a revised result. SPLAT is a 
simulation model which takes some time to run and for this reason only the missions of interest were evaluated. 
Details associated with SPLAT can be found in the Iteration 3.0 Phenomenological Data Report 6 . 

2. Ascent Debris 

Ascent Debris risk is treated in a completely different way than functional and phenomenological risk since it 
does not follow the traditional failure rate calculation methodology. Tile risk is based upon Orbiter lower surface 
damages greater than 1 inch and uses the Ascent Debris Analysis Model (ADAM). ADAM uses input distributions 


6 NASA Internal Document, Thigpen, Eric, Integration Report, Vol. II, Rev. 3.0, NASA, Johnson Space Center, 
Safety and Mission Assurance Directorate, Shuttle and Exploration Division, Analysis Branch, Houston, Texas, 
November 2008. 

7 NASA Internal Document, Kahn, C.J, Lo, Y., Ring, R., Functional Failure Data Report, Vol. Ill, Book 1, Rev. 
3.0, NASA, Johnson Space Center, Safety and Mission Assurance Directorate, Shuttle and Exploration Division, 
Analysis Branch, Houston, Texas, November 2008. 

8 NASA Internal Document, Teel, J., Lo, Y, Kelly, M., Britton, P., Phenomenological Data Report, Vol. Ill, Book 2, 
Rev. 3.0, NASA, Johnson Space Center, Safety and Mission Assurance Directorate, Shuttle and Exploration 
Division, Analysis Branch, Houston, Texas, November 2008. 

3 

American Institute of Aeronautics and Astronautics 



derived from historical damages (length, width, depth, quantity, location) and simulates missions. The simulated 
mission damage is then compared against the Orbiter damage criteria to compute a probability the damage is critical 
(i.e. would cause LOCV on re-entry if not mitigated through repair or crew rescue). Reinforced Carbon Carbon 
(RCC) risk is based upon flight history using engineering judgment to adjust with the changing environment. 
Adjustments are made based upon assuming similar changes in RCC risk as seen in the higher fidelity Tile model. 

3. MMOD 

MMOD risk is based upon the STS-119 MMOD assessment which is utilized in SPRA Iteration 3.3 with the 
exception that inspection and repair are not considered prior to their implementation following the Columbia 
accident. MMOD risk was first calculated on STS-50 and since that time the damage criteria has changed. It would 
be difficult to go back and normalize the risk to a single damage criterion, and even then differences in mission 
duration and attitude timeline (ATL) could impact the risk significantly. 

4. Reusable Solid Rocket Motor 

Reusable Solid Rocket Motor (SRM) risk based upon 1 LOCV in 25 missions concluding with the Challenger 
accident and based upon Iteration 3.3 for the subsequent missions (e.g. 1:1500). The estimate of 1 in 25 is based 
upon using 1 in 50 for each RSRM, which is based upon demonstrated history. Details associated with the Iteration 
3.3 value may be founded in the Iteration 3.0 SPRA Volume III, Book 1 Functional Failure Data Report 9 . 

5. Space Shuttle Main Engine 

Space Shuttle Main Engine (SSME) data analysis utilizes failures and operating history of each major engine 
configuration. This section provides a high level summary of the SSME data analysis. 

• The First Manned Orbital Flight (FMOF) engine was used on STS-1 through STS-5. 

• The Full Power Level (FPL) engine was used on STS-6 through STS-5 1L. 

• The Phase II engine was used on STS-26 through STS-76 plus STS-94. 

• The Block 1 engine was used on STS-77 through STS-88 and includes the risks for the Block 1A engine 
configuration. 

• The Block IIA engine was used on STS-89 through STS-109. 

• The Block II engine without Advanced Health Monitoring System (AHMS) was used on STS-1 10 through 
STS-1 17. 

• The Block II engine with AHMS was used on STS-1 18 through STS-133. 

6. Orbiter Flight Software 

The Orbiter flight software risk is based upon the report “Primary Avionics Software System (PASS) 
Probabilistic Risk Assessment” 10 which uses historical data from the SSP, to determine the Loss of Crew (LOC) 
probability due to a failure in the PASS aboard the Shuttle. Although new software updates can introduce new 
errors, more errors are eliminated and the risk trends down. 

7. Inspection, Repair and Crew Rescue 

No inspection is assumed prior to return to flight after Columbia even though on some earlier missions Orbiter 
damages were imaged by the Remote Manipulator System (RMS) (e.g. STS-27). This assumption was made because 
of the limited inspection capability and the fact that there was no mitigation plan in place if damage was detected. 

For STS-1 14, the return to flight after Columbia, Flight Day 2 (FD2) inspection is credited; however there was 
no late inspection. The repair techniques were still being developed therefore limited repair capability with large 
uncertainties was assumed. There was significant reliance on crew rescue as a risk mitigation measure because the 
repair capabilities were not fully developed. For this reason the Launch On Need (LON) vehicle was far along in its 


9 NASA Internal Document, Teel, J., Lo, Y, Kelly, M., Britton, P., Phenomenological Data Report, Vol. Ill, Book 2, 
Rev. 3.0, NASA, Johnson Space Center, Safety and Mission Assurance Directorate, Shuttle and Exploration 
Division, Analysis Branch, Houston, Texas, November 2008. 

10 NASA Internal Document, Russel, R., Thompson, N. Zhu, S., Primary > Avionics Software System (PASS) 
Probabilistic Risk Assessment, SSMA-08-011, Rev. B, NASA, Johnson Space Center, Safety and Mission 
Assurance Directorate, Shuttle and Exploration Division, Analysis Branch, Houston, Texas, August 2010. 
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processing at the time of STS-1 14 launch. The estimate for crew rescue was assumed to be equivalent to the STS- 
123 mission because of similar capability. 

Post STS-1 14, both FD2 and late inspection are credited. The repair capability and crew rescue are assumed to 
be the same as SPRA Iteration 3.3 u . 

B. Assumptions 

This section outlines the assumptions that comprise the framework for developing the Shuttle Risk Progression. 
This section also provides assumptions that further define the scope of the analysis. The following general 
assumptions are applied across all missions: 

• The Shuttle PRA functional and phenomenological data analyses discount failures based upon 
improvements which are either the result of process changes, redesigns or hardware life limits. These 
discounts are either based upon default discounts or are based upon the ratio of the prior failure rate to the 
post improvement failure rate. In this analysis these discounts are removed until the improvements have 
been implemented, however the operating time is held constant. This could lead to an underestimate of the 
early failure rate because additional failures could have occurred if the redesign or process improvement 
had not been implemented. This is not expected to significantly impact the results because the functional 
and phenomenological data generally do not drive the overall risk. 

• The calculated risk of crew error is assumed to remain the same across the flights. This assumption 
simplifies the scope of the modeling. Although the crew error probability was likely higher on earlier 
missions due to limited experience, it would be difficult to justify this with limited data. 

• Similar to the current iteration of the SPRA model, MMOD risk is based upon STS-1 19 predictions. This 
approach may be conservative for early flights since the environment was getting worse and mission 
durations were shorter; however, this may be non-conservative for later pre-Return-to-Flight (RTF) 
missions since ATL adjustments were made post-RTF to reduce the MMOD risk. 

• In general this analysis does not model ET changes, except as they impact Ascent Debris. 

• Orbiter structural failure was assumed to be constant across the flights even though this risk on STS-1 was 
probably higher due to an underestimation of the acoustic condition created on the launch pad during SRB 
ignition. The overpressure event deformed a Forward Reaction Control System (RCS) oxidizer tank aft Z 
strut. 

• Except for four SSME failures that were distinctively related to Block 1 and later hardware, namely failures 
associated with the alternate HPFTP (HPFTP/Alternate Turbopump (AT)) and alternate HPOTP 
(HPOTP/AT), all identified failures are assumed to have been a risk present from the start of the SSME 
program. Total engine ground hot fire and flight time since the start of the SSME program to STS-128 is 
used, approximately 1.08 million seconds. Relative to each configuration, each failure’s root cause and 
corrective actions were reviewed. For SSME, DAR life-limits and additional inspection points have 
significant and immediate buy down in risk. Failure discounts due to differences in extended duration tests 
and ground testing power level are predominately associated with First Manned Orbital Flight (FMOF) and 
Full Power Level (FPL) engines. As a guide, the maximum allowable failure discount for each failure 
should be that assigned against the current Block II with AHMS configuration. 

• TPS debond initiator remains constant. Although there was a significant number of tile debonds during 
STS-1 they were not the lower surface black tiles which are modeled in the PRA. The significant loss of 
tiles during STS-1 may be evidence that TPS debond may have been higher earlier in the program but 
given the lack of data the risk is assumed to be constant. 

Additional assumptions have been made, including flight specific assumptions and are documented in the Shuttle 
Risk Progression by Flight report 1 ”. 


11 NASA Internal Document, Thigpen, E., Shuttle PRA Iteration 3.3 Changes Notebook, NASA, Johnson Space 
Center, Safety and Mission Assurance Directorate, Shuttle and Exploration Division, Analysis Branch, Houston, 
Texas, November 2010 

12 NASA Internal Document, Hamlin, T., Kahn, C., Lo, Y., Zhu, Tl, Shuttle Risk Progression by Flight, NASA, 
Johnson Space Center, Safety and Mission Assurance Directorate, Shuttle and Exploration Division, Analysis 
Branch, Houston, Texas, April 2011 
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III. Results 


The following subsections document the key results and dominant contributors of the Shuttle risk progression. 

A. Overall Shuttle Risk 

The overall mission result for LOCV is estimated to go from 1.1E-01 per mission or 1:12 on STS-1 to 1.1E-02 or 
1:90 on STS-133. This is approximately an order of magnitude improvement over the life of the Shuttle Program. 

Table 1 provides the calculated values including uncertainty for the 14 analyzed flights. Values have been 
rounded to two significant figures on Table 1 and all subsequent figures and tables. The uncertainty parameters are 
calculated using a 
random number 
generator seed of 
16117 and 35000 
samples. 

The probability of 
LOCV on STS-1 was 
calculated to be 1:12 
considering the 

availability of 

ejection seats to save 
the two crewmembers 
given a loss of vehicle 
event below 80,000 
ft. 

On STS -5 the 
ejection seats were 
disabled when the 
crew size increased 
from two to four. This 
led to an increase in 
risk of LOCV from 
approximately 1:12 to 
approximately 1:10. 

On STS-9, an APU fire led to process improvements on STS-41B which decreased the probability of hydrazine 
leakage which could lead to LOCV. In addition, the Orbiter flight software risk decreased due to updated software. 
However, overall risk remained at approximately 1:10 (although still slightly lower than STS-5) due to an increase 
in SSME risk associated with increasing the operational power level (reducing safety margin to increase 
performance). 

On STS-5 1L ( Challenger ), risk was further reduced but remained at approximately 1:10. Risk reductions were 
due to a redesign on the APU that was implemented to further reduce the likelihood of having an APU hydrazine 
leak which may lead to LOCV, and to updated software. 

On STS-26, RTF following Challenger, a redesign of the SRM led to a significant risk reduction from 
approximately 1:10 to approximately 1:17. Although the bulk of the mission risk reduction was due to the SRM 
redesign, the SSME risk was decreased due to the use of the Phase II engine, and the Orbiter flight software risk 
decreased due to updated software. 

On STS-27 the right SRB nose cap TPS liberated causing significant damage to the Orbiter lower surface tiles 
(>298 damages greater than 1 inches). On the next flight, STS-29, the ablative material on the SRB nose cap TPS 
was replaced with a material with higher tensile strength to prevent liberation. For this reason, the ascent debris risk 
for STS-29 significantly reduced resulting in an overall reduction of LOCV from approximately 1:17 to 
approximately 1:36. 

The Improved Auxiliary Power Unit (IAPU) was introduced along with updated software on STS-49 which led 
to a decrease in overall risk from approximately 1:36 to approximately 1:37. 

On STS-77 SSME risk was reduced with the introduction of the Block I/IA engines with the improved HPOTP 
and software was again updated to reduce the risk to approximately 1:38. 


Table 1. Summary of Overall Shuttle Risk, Including Uncertainty 


STS 

Mission 

5 th 

Percentile 

Median 

Mean 

95 m 

Percentile 

Error 

Factor 

STS-1 

1 

4.3E-02 

7.7E-02 

8.3E-02 (1:12) 

1.5E-01 

1.8 

STS-5 

5 

4.9E-02 

9.6E-02 

1.0E-01 (1:10) 

1.9E-01 

2.0 

STS-41B 

10 

4.6E-02 

9.3E-02 

1.0E-02 (1:10) 

1.9E-01 

2.0 

STS-511 

25 

4.3E-02 

9.0E-02 

9.9E-02 (1:10) 

1.9E-01 

2.1 

STS-26 

26 

2.8E-02 

5.3E-02 

6.0E-02 (1:17) 

1.2E-01 

2.1 

STS-29 

28 

1.7E-02 

2.6E-02 

2.8E-02 (1:36) 

4.4E-02 

1.6 

STS-49 

47 

1.7E-02 

2.5E-02 

2.7E-02 (1:37) 

4.3E-02 

1.6 

STS-77 

77 

1.6E-02 

2.5E-02 

2.6E-02 (1:38) 

4.2E-02 

1.6 

STS-86 

87 

2.3E-02 

4.2E-02 

4.8E-02 (1:21) 

9.2E-02 

2.0 

STS-89 

89 

2.2E-02 

4.1E-02 

4.7E-02 (1:21) 

9.1E-02 

2.0 

STS-103 

96 

1.4E-02 

2.0E-02 

2.1E-02 (1:47) 

3.3E-02 

1.5 

STS-1 10 

109 

1.4E-02 

2.0E-02 

2.1E-02 (1:47) 

3.2E-02 

1.5 

STS-1 14 

114 

9.6E-03 

1.3E-02 

1.4E-02 (1:73) 

1.9E-02 

1.4 

STS-133 

133 

7.9E-03 

1.1E-02 

1.1E-02 (1:90) 

1.6E-02 

1.4 
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On STS-86 the overall risk increased significantly to approximately 1:21 because changes in the ET foam 
application process led to significant Orbiter damages. Figure 1 shows the number of Orbiter lower surface damage 
ordered by the ET start date. From ET-88 (STS-86) to ET-100 (STS-96) there is an increase in the number of 
damages on average from approximately 13 greater than 1 inch to approximately 45 greater than 1 inch. Prior to 
STS-86 the Environmental Protection Agency (EPA) banned the use of Chlorinated Fluorocarbon(CFC)-l 1 Freon 
and STS-86 was the first mission with the new ET foam application process. Updated software did decrease the risk 
from Orbiter flight software but it is overshadowed by the ascent debris risk increase. 



Figure 1. Orbiter Lower Surface Damages Arranged by ET Start Date. Prior to ET-88 (STS-86) the 
average number of hits to the lower surface >1 inch was approximately 13, from ET-88(STS-86) to ET-100 
( STS-96 ) the average is approximately 45. Once the ET is vented the averages drops back down to 
approximately 16 

On STS-87 the SSME risk decreased due to use of the Block IIA engine with new LTMCC, which reduced the 
severity of the SSME operating environment (lower temperature, pressure and pump speed). However, the risk 
remained rounded at approximately 1:21 since ascent debris remained unchanged. 

On STS-103 the ascent debris risk significantly reduced. Figure 1 shows that starting at STS-103 which was the 
first mission with venting holes on the ET TPS the number of damages on the vehicle decreased from approximately 
45 damages greater than 1 inch to approximately 16 damages greater than 1 inch. This is similar but slightly higher 
than the average number prior to the ban of CFC-11 Freon. In addition, even though the number of damages is 
greater than the STS-77 estimates (approximately 13 damages per flight) the average size of the damage is smaller 
resulting in an ascent debris risk which is lower than STS-77. In addition to the ascent debris risk reduction there is a 
software update and overall risk decrease to approximately 1:47. 

On STS-110 the SSME risk increases slightly from approximately 1:680 to approximately 1:610 when engine 
configuration changed from Block 11A to Block II. This is due to early test failures in the Block II HPFTP that 
cannot be attributed to any other engine configuration. Although these early failures resulted in corrective actions on 
the Block II engine, the residual risk is higher than the Block IIA engine. The total mission risk remained at 
approximately 1:47. 

On STS-114, the return to flight after Columbia, ascent debris risk was mitigated by the introduction of 
inspection, repair, and crew rescue. This reduced the ascent debris risk from approximately 1:130 to approximately 
1:600. In addition, Orbiter flight software was updated. The total mission risk decreased from approximately 1:47 to 
approximately 1:73. 

STS-133 is assumed to represent the current mission risk (realistically this could be STS-134 or STS-135 as 
well). The ascent debris risk has decreased from approximately 1:600 to approximately 1:940 due to improved 
debris environment and improved repair techniques. In addition, SSME uncontained risk has decreased from 
approximately 1:610 to approximately 1:650 with the addition of the AHMS that shifted some SSME uncontained 
risk to safe shutdown. The total mission risk decreased from approximately 1:73 to approximately 1:90. 
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Figure 2 provides a graphical summary of the overall results including captions for the major changes between 
flights which were mentioned in the preceding paragraphs. The results are ordered by flight sequence number with 
the STS number provided in blue below the X-axis. 
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Figure 2. Shuttle Risk Progression Summary Results. Captions describe major changes which impacted 
the mission risk. 
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B. Top Risk Contributors 

Understanding the contributors to risk is also very important. Table 2 shows the dominant Shuttle contributors 
for STS-1 once similar events (e.g., ascent debris and MMOD) are combined. Failure scenarios (cut sets) above 
1.0E-07 are reviewed and combined to establish this ranking. Including cut sets below 1.0E-07 are not expected to 
alter the ranking but may impact absolute values slightly. It can be seen in Table 2 that the LOCV risk is driven by 
Ascent Debris since crew escape via ejection seats are not available as a mitigation while on orbit or during entry. 


Table 2. STS-1 Top 10 Contributors to Risk 


Rank 

%of 

Total 

Cumulative 

Total 

Probability 
(l:n) ' 

Description 

1 

53.5 

53.5 

4.5E-02 (1:22) 

Ascent debris strikes Orbiter TPS leading to LOCV on 
orbit or entry 

2 

19.2 

72.8 

1.6E-02 (1:63) 

SRM-induced SRM catastrophic failure and ejection seats 
fail to save the crew 



79.2 

5.3E-03 (1:190) 

MMOD strikes Orbiter on orbit leading to LOCV on orbit 
or entry 


5.0 

84.2 

4.2E-03 (1:240) 

SSME-induced SSME catastrophic failure and ejection 
seats fail to save the crew 


3.7 

87.9 

3.1E-03 (1:320) 

Orbiter APU Shaft Seal Fracture Entry and ejection seats 
fail to save the crew 


2.9 

90.8 

2.4E-03 (1:420) 

APU external leak on entry and ejection seats fail to save 
the crew 

7 

2.0 

92.8 

1.7E-03 (1:600) 

Orbiter flight software error results in catastrophic failure 
during ascent and ejection seats fail to save the crew 


1.1 

93.9 

9.0E-04 (1:1100) 

APU external leak on ascent and ejection seats fail to save 
the crew 


1.1 

95.0 

8.8E-04 (1:1100) 

Orbiter APU Shaft Seal Fracture Ascent and ejection seats 
fail to save the crew 

10 

0.8 

95.7 

6.3E-04 (1:1600) 

SSME-induced safe shutdown of the SSME and ejection 
seats fail to save the crew 
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Table 3 shows the dominant Shuttle contributors for STS-5 using the same combining of similar events. In 
addition. Table 3 shows the delta risk between STS-1 and STS-5. Most of the top risks increased due to the disabling 
of the crew ejection seats. The ejection seats were disabled due to the increase of the crew size from two to four 
(ejection seats would only have been available to the pilot and commander) and the fact that NASA believed that the 
shuttle had ended its research and development period and entered Operational capability. 


Table 3. STS-5 Top 10 Contributors to Risk 

Rank 

%of 

Total 

Cumulative 

Total 

Probability 

(l:n) ' 

Description 

Delta Risk 
from STS-1 

1 

42.5 

42.5 

4.5E-02 (1:22) 

Ascent debris strikes Orbiter TPS leading to LOCV 
on orbit or entry 

None 

2 

38.2 

80.7 

4.0E-02 (1:25) 

SRM-induced SRM catastrophic failure 

'['1:42 

3 

5.1 

85.8 

5.3E-03 (1:190) 

MMOD strikes Orbiter on orbit leading to LOCV on 
orbit or entry 

None 

4 

4.6 

90.5 

4.9E-03 (1:210) 

SSME-induced SSME catastrophic failure 

[1:1500 

5 

2.5 

93.0 

2.6E-03 (1:380) 

APU external leak on entry 

1 1:4500 

6 

1.7 

94.7 

1.8E-03 (1:560) 

Orbiter flight software error results in catastrophic 
failure during ascent 

[■1:7000 

7 

1.6 

96.3 

1.7E-03 (1:590) 

Orbiter APU Shaft Seal Fracture Entry 

[1:710 

8 

0.9 

97.3 

9.8E-04 (1:1000) 

APU external leak on ascent 

[1:13000 

9 

0.8 

98.0 

8.2E-04 (1:1200) 

Crew error during entry 

[1:3400 

10 

0.7 

98.7 

7.1E-04 (1:1400) 

SSME-induced safe shutdown of the SSME 

[1:14000 
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Table 4 shows the dominant Shuttle contributors for STS-133 using the same combining of similar events. In 
addition. Table 4 shows the delta risk between STS-114 and STS-133. STS-114 top risks are provided in the 
appendix along with the remaining evaluated missions and shows that three of the top 10 risk drivers from STS-133 
have decreased since STS-114. MMOD risk decreased approximately 1:550 due to the addition of late inspection. 
Ascent debris risk decreased approximately 1:8500 because of return to flight after Columbia debris reduction 
initiatives and improved repair capability. SSME risk decreased approximately 1:1700 due to the AHMS which will 
monitor turbopumps vibration and shutdown an errant engine before catastrophic engine failure occurs. 


Table 4. STS-133 Top 10 Contributors to Risk 

Rank 

%of 

Total 

Cumulative 

Total 

Probability 
(l:n) ' 

Description 

Delta Risk 
from STS- 
114 

1 

29.6 

29.6 

3.3E-03 (1:300) 

MMOD strikes Orbiter on orbit leading to LOCV on 
orbit or entry 

|1:550 

2 

13.7 

43.3 

1.5E-03 (1:650) 

SSME-induced SSME catastrophic failure 

41:8500 

3 

9.6 

52.9 

1.1E-03 (1:940) 

Ascent debris strikes Orbiter TPS leading to LOCV 
on orbit or entry 

41:1700 

4 

7.4 

60.3 

8.2E-04 (1:1200) 

Crew error during entry 

None 

5 

5.9 

66.1 

6.5E-04 (1:1500) 

RSRM-induced RSRM catastrophic failure 

None 

6 

2.0 

68.2 

2.3E-04 (1:4400) 

Flight Software error result in catastrophic failure 
during ascent 

None 

7 

1.6 

69.8 

1.8E-04 (1:5600) 

Ammonia Boiler System (ABS) isolation valve leaks 
on Orbit overcooling the H20 loops and crew is 
unable to prevent rupture of the interchanger resulting 
in Loss of All Cooling 

None 

8 

1.5 

71.3 

1.7E-04 (1:5900) 

SRB APU shaft seal fracture 

None 

9 

1.2 

72.5 

1.3E-04 (1:7600) 

Flow Control Valve (FCV) poppet failure causes 
rupture in the GH2 re -pressurization line 

None 

10 

1.2 

73.6 

1.3E-04 (1:7700) 

Collision of the Orbiter with the International Space 
Station (ISS) during rendezvous and docking 

None 


Top 10 risks were compiled for each of the 14 missions analyzed, but not all of them are documented in this 
paper. Table 4 shows the top contributors for STS-133 which is a reflection of the most up to date Shuttle PRA. The 
delta risk between STS-133 and STS-114 is given. 

Another interesting way to show how risks have changed over time is to graph each risk individually. Figure 3 
graphically displays how risks that have appeared in the top 10 risks have change over time. Each risk is graphed 
using a technique called “small multiples” which makes it easier to compare risks by using the same scale. A total of 
19 risks have appeared in the top 10. Figure 3 also shows how the risk rankings have changed by color coding the 
risks. The objectives of these graphs is not to pick out the numerical values for individual risk but to see the general 
trend of the values over time and to be able to compare those trends across risks. 

It is interesting to note that five risks have consistently remained in the top 10. These risks which have remained 
top risk drivers (outlined in red in Fig. 3) are Ascent Debris, MMOD, SSME, RSRM and Orbiter flight software. 
Flowever, that does not mean that these were always recognized as top risks, in fact Orbiter flight software was only 
recently added to the Shuttle PRA. 
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Figure 3. How Top Risks Change Over Time 
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C. Orbiter Hardware/Software 

There are many different ways to track the Shuttle risks such as by total risk or by top risk drivers as shown in 
previous sections. Another way to track Shuttle risk is by element. This section shows how the Orbiter element 
hardware/software risk has changed over time. This grouping does not include risks associated with other elements 
(RSRM, SSME, ET, SRB), risks initiated by the crew, ascent debris, nor MMOD. 

The Orbiter Hardware/Software result for LOCV is estimated to go from 1.4E-02 per mission or 1:69 on STS-1 
to 2.7E-02 or 1:370 on STS-133. This is about half an order of magnitude improvement over the life of the Shuttle 
Program. Table 5, Summary’ of Orbiter Hardware/Software Risk, Including Uncertainty, provides the complete list 
of the results including uncertainty parameters. The uncertainty parameters are calculated using a random number 
generator seed of 1611 7 and 35,000 samples. 

Figure 4 provides 
a graphical summary 
of the overall results 
including captions 
for the major 
changes between 
flights which were 
mentioned in the 
Overall Shuttle Risk 
paragraphs. The 
results are ordered 
by flight sequence 
number with the STS 
number provided in 
blue below the X- 
axis. 


Table 5. Summary of Orbiter Hardware/Software Risk, Including Uncertainty 


STS 

Mission 

5 th 

Percentile 

Median 

Mean 

95“ 

Percentile 

Error 

Factor 

STS-1 

1 

8.6E-03 

1.3E-02 

1.4E-02 (1:69) 

2.4E-02 

1.7 

STS-5 

5 

8.5E-03 

1.2E-02 

1.3E-02 (1:76) 

2.0E-02 

1.5 

STS-41B 

10 

5.5E-03 

8.4E-03 

9.1E-03 (1:110) 

1.5E-02 

1.6 

STS-5 11 

25 

4.1E-03 

5.9E-03 

6.3E-03 (1:160) 

9.5E-03 

1.5 

STS-26 

26 

3.9E-03 

5.7E-03 

6.0E-03 (1:170) 

9.1E-03 

1.5 

STS-29 

28 

3.7E-03 

5.4E-03 

5.7E-03 (1:180) 

8.5E-03 

1.5 

STS-49 

47 

3.2E-03 

4.5E-03 

4.8E-03 (1:210) 

7.3E-03 

1.5 

STS-77 

77 

3.0E-03 

4.3E-03 

4.6E-03 (1:220) 

7.1E-03 

1.5 

STS-86 

87 

2.8E-03 

4.1E-03 

4.4E-03 (1:230) 

6.7E-03 

1.5 

STS-89 

89 

2.7E-03 

3.9E-03 

4.2E-03 (1:240) 

6.5E-03 

1.6 

STS-103 

96 

2.6E-03 

3.8E-03 

4.1E-03 (1:250) 

6.3E-03 

1.5 

STS-1 10 

109 

2.5E-03 

3.6E-03 

3.9E-03 (1:250) 

6.2E-03 

1.6 

STS-1 14 

114 

1.9E-03 

2.7E-03 

2.8E-03 (1:350) 

4.1E-03 

1.5 

STS-133 

133 

1.8E-03 

2.6E-03 

2.7E-03 (1:370) 

3.9E-03 

1.5 
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Figure 4. Shuttle Risk Progression Orbiter Hardware/Software Summary Results. Captions describe 
major changes which impacted the Orbiter Hardware/Software risk. 
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D. Comparisons to Historical Estimates 

The results provided in the previous section are based upon the current understanding of the Shuttle risk utilizing 
the most comprehensive Shuttle PRA to date. However there were previous estimates of Shuttle risk and this section 
compares these estimates at the time of their release to the Shuttle risk progression estimates. Figure 5 summarizes 
the major historical risk estimates with a brief description of the scope of the analysis. Going from left to right the 
risk estimates are increasing in fidelity and have expanding scopes. Two of the earliest Shuttle risk assessments 
which are not included in Fig. 5 are the “Wiggins Analysis” 1 and the “Weatherwax Analysis.” 2 The “Wiggins 
Analysis” conducted by the J. H. Wiggins Co. of Redondo Beach, California between 1979 and 1982 put the overall 
risk of losing a shuttle between 1:1000 and 1:10000 and was mainly based upon engineering judgment. The 
“Weatherwax Analysis” prepared by R.K. Weatherwax of Sierra Energy and Risk Assessment Incorporated in 1983 
put the overall risk of losing a shuttle at approximately 1:35 was a review of the “Wiggins Analysis” with more of a 
data based approach. It also should be noted that the Shuttle PRA Team (SPRAT) PRA is the first SPRA which has 
been sponsored by the Shuttle Program; previous analyses were sponsored by other organizations such as NASA 
Headquarters Office of Safety and Mission Assurance. The SPRA has been incrementally developed over many 
years with increases in the mission phases modeled (i.e. Ascent, Orbit and Entry), systems modeled, and risk factors 
considered (e.g. phenomenological failures, human reliability, and external events). Significant recent progress has 
been the result of established NASA requirements, standards, tools, and the development of a strong Shuttle 
Program PRA team. 
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Figure 5. Historical Risk Estimates. 


Figure 6 graphically displays the historical Shuttle risk estimates overlayed onto the summary of the Shuttle risk 
progression. Historical risk estimates are shown in red. It clearly shows that the early risk estimates were grossly 
underestimated, with the engineering judgment based estimate being off by several orders of magnitude. This may 
lead one to believe that early PRA estimates are overly optimistic and therefore should not be used. Quite the 
opposite, a comprehensive PRA, similar to that of the Shuttle PRA, is an effective tool quantifying risk drivers if 
support from all of the stakeholders is given. The earliest estimates were not PRAs nor were they comprehensive. 
That is not to say that even the most comprehensive PRA will not have limitations especially for the first flights of a 
new program as understanding of the integrated vehicle is being developed. Adjustments are needed in order to 
bound the first flight or early flight risk. The Shuttle risk progression assessments will help with making those 
adjustments. 
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Figure 6. Shuttle Risk Progression Summary with Historical Risk Estimates. Red values marked with 
Xs represent analyses prior to initiation of the Shuttle PRA. Red values marked with circles represent 
previous Shuttle PRA estimates. 


IV. Conclusion 

Using this analysis technique shows that the Shuttle average mission risk has improved by approximately an 
order of magnitude over the life of the program. Risk reductions are the result of redesigns or operational changes, 
the most significant of which follow major events (e.g. Challenger, Columbia, STS-27 TPS damage). This analysis 
is different than traditional reliability growth models which show steady improvement with each flight. The most 
significant difference is that risk can increase due to trading safety margin for increased performance or due to 
external events. An example of trading safety margin is the increase in SSME risk with the increase in operating 
power level. An example of an external event which increased the risk was the EPA ban of CFC-11 Freon which 
increased the Ascent Debris risk. 

The Shuttle risk progression shows that significant improvement does not happen without understanding what 
drives the risk and without the time and money to redesign risk significant hardware (e.g. RSRM, Block II SSME, 
IAPU) or without impacts to mission (e.g. ATL adjustments, inspections). For example, although ascent debris risk 
was significantly reduced following STS-27 it was never fully appreciated as a top risk contributor until after 
Columbia and risk was then reduced by a factor of 7 (i.e. reduction from 1:130 pre-Columbia to the current estimate 
of 1:940). 
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Appendix 


The following tables show the top risk drivers for the evaluated missions which were not covered in the body of the 
taper. 


Table 6. STS-41B Top 10 Contributors to Risk 

Rank 

%of 

Total 

Cumulative 

Total 

Probability 

(l:n) 

Description 

Delta Risk 
from STS-5 

1 

43.6 

43.6 

4.5E-02 (1:22) 

Ascent debris strikes Orbiter TPS leading to 
LOCV on orbit or entry 

None 

2 

39.1 

82.7 

4.0E-02 (1:25) 

SRM-induced SRM catastrophic failure 

None 

3 

5.7 

88.4 

5.9E-03 (1:170) 

SSME-induced SSME catastrophic failure 

11:1000 

4 

5.2 

93.7 

5.3E-03 (1:190) 

MMOD strikes Orbiter on orbit leading to LOCV 
on orbit or entry 

None 

5 

0.7 

94.4 

1.7E-03 (1:590) 

Orbiter APU Shaft Seal Fracture Entry 

None 

6 

1.7 

96.0 

1.7E-03 (1:600) 

Orbiter flight software error results in 
catastrophic failure during ascent 

41:7700 

7 

1.6 

97.7 

8.2E-04 (1:1200) 

Crew error during entry 

None 

8 

0.8 

98.5 

7.2E-04 (1:1400) 

SSME-induced benign shutdown of the SSME 

41:110000 

9 

0.5 

98.9 

4.8E-04 (1:2100) 

Orbiter APU Shaft Seal Fracture Ascent 

None 

10 

0.5 

99.4 

4.7E-04 (1:2100) 

Fuel supply failure to the OMS during orbit 

None 
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Table 7. STS-51L Top 10 Contributors to Risk 

Rank 

%of 

Total 

Cumulative 

Total 

Probability 
(l:n) ' 

Description 

Delta Risk 
from STS- 
41B 

1 

45.0 

45.0 

4.5E-02 (1:22) 

Ascent debris strikes Orbiter TPS leading to LOCV 
on orbit or entry 

None 

2 

40.4 

85.4 

4.0E-02 (1:25) 

SRM-induced SRM catastrophic failure 

None 

3 

5.4 

90.8 

5.3E-03 (1:190) 

MMOD strikes Orbiter on orbit leading to LOCV on 
orbit or entry 

None 

4 

5.2 

96.1 

5.2E-03 (1:190) 

SSME-induced SSME catastrophic failure 

41:1500 

5 

1.1 

97.1 

1.1E-03 (1:950) 

Orbiter flight software error results in catastrophic 
failure during ascent 

41:1600 

6 

0.8 

98.0 

8.2E-03 (1:1200) 

Crew error during entry 

None 

7 

0.6 

98.5 

5.5E-04 (1:1800) 

SSME-induced benign shutdown of the SSME 

41:6100 

8 

0.5 

99.0 

4.7E-04 (1:2100) 

Fuel supply failure to the OMS during orbit 

None 

9 

0.4 

99.4 

3.7E-04 (1:2700) 

Debonding of TPS during ascent 

None 

10 

0.3 

99.7 

3.4E-04 (1:2900) 

Orbiter APU Shaft Seal Fracture Entry 

41:730 


Table 8. STS-26 Top 10 Contributors to Risk 

Rank 

%of 

Total 

Cumulative 

Total 

Probability 
(l:n) ' 

Description 

Delta Risk 
from STS- 
51L 

1 

73.7 

73.7 

4.5E-02 (1:22) 

Ascent debris strikes Orbiter TPS leading to LOCV on 
orbit or entry 

None 

2 

8.8 

82.5 

5.3E-03 (1:190) 

MMOD strikes Orbiter on orbit leading to LOCV on 
orbit or entry 

None 

3 

5.6 

88.1 

3.4E-03 (1:290) 

SSME-induced SSME catastrophic failure 

41:560 

4 

1.4 

89.4 

8.2E-04 (1:1200) 

Crew error during entry 

None 

5 

1.3 

90.7 

7.6E-04 (1:1300) 

Orbiter flight software error results in catastrophic 
failure during ascent 

41:3400 

6 

1.1 

91.8 

6.5E-04 (1:1500) 

RSRM-induced RSRM catastrophic failure 

41:25 

7 

0.8 

92.5 

4.7E-04 (1:2100) 

Fuel supply failure to the OMS during orbit 

None 

8 

0.6 

93.2 

3.7E-04 (1:2700) 

Debonding of TPS during ascent 

None 

9 

0.6 

93.7 

3.4E-04 (1:2900) 

Orbiter APU Shaft Seal Fracture Entry 

None 

10 

0.4 

94.2 

2.6E-04 (1:3800) 

SSME-induced benign shutdown of the SSME 

41:3400 
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Table 9 STS-29 Top 10 Contributors to Risk 


Rank 

%of 

Total 

Cumulative 

Total 

Probability 
(l:n) ' 

Description 

Delta Risk 
from STS-26 

1 

40.2 

40.2 

1.1E-02 (1:89) 

Ascent debris strikes Orbiter TPS leading to 
LOCV on orbit or entry 

|1:35 

2 

19.1 

59.3 

5.3E-03 (1:190) 

MMOD strikes Orbiter on orbit leading to 
LOCV on orbit or entry 

None 

3 

12.2 

71.5 

3.4E-03 (1:290) 

SSME-induced SSME catastrophic failure 

None 

4 

2.9 

74.4 

8.2E-04 (1:1200) 

Crew error during entry 

None 

5 

2.7 

77.1 

7.6E-04 (1:1300) 

Orbiter flight software error results in 
catastrophic failure during ascent 

None 

6 

2.3 

79.5 

6.5E-04 (1:1500) 

RSRM-induced RSRM catastrophic failure 

None 

7 

1.6 

81.1 

4.5E-04 (1:2200) 

Fuel supply failure to the OMS during orbit 

|1:41000 

8 

1.3 

82.4 

3.7E-04 (1:2700) 

Debonding of TPS during ascent 

None 

9 

1.2 

83.6 

3.4E-04 (1:2900) 

Orbiter APU Shaft Seal Fracture Entry 

None 

10 

0.8 

84.5 

2.3E-04 (1:4300) 

SRB booster separation motor debris strikes 
Orbiter windows 

None 


Table 10. STS-49 Top 10 Contributors to Risk 

Rank 

%of 

Total 

Cumulative 

Total 

Probability 
(l:n) ' 

Description 

Delta Risk 
from STS- 
29 

1 

41.4 

41.4 

1.1E-02 (1:89) 

Ascent debris strikes Orbiter TPS leading to LOCV 
on orbit or entry 

None 

2 

19.7 

61.1 

5.3E-03 (1:190) 

MMOD strikes Orbiter on orbit leading to LOCV on 
orbit or entry 

None 

3 

12.5 

73.6 

3.4E-03 (1:290) 

SSME-induced SSME uncontained failure 

None 

4 

3.0 

76.6 

8.2E-04 (1:1200) 

Crew error during entry 

None 

5 

2.4 

79.0 

6.5E-04 (1:1500) 

RSRM-induced RSRM catastrophic failure 

None 

6 

1.8 

80.9 

5.0E-04 (1:2000) 

Orbiter flight software error results in catastrophic 
failure during ascent 

4,1 :3900 

7 

1.7 

82.5 

4.5E-04 (1:2200) 

Fuel supply failure to the OMS during orbit 

None 

8 

1.4 

83.9 

3.7E-04 (1:2700) 

Debonding of TPS during ascent 

None 

9 

0.9 

84.7 

2.3E-04 (1:4300) 

SRB booster separation motor debris strikes Orbiter 
windows 

None 

10 

0.7 

85.4 

1.8E-04 (1:5500) 

Mechanisms failure 

None 
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Table 11. STS-77 Top 10 Contributors to Risk 

Rank 

%of 

Total 

Cumulative 

Total 

Probability 
(l:n) ' 

Description 

Delta Risk 
from STS-49 

1 

42.8 

42.8 

1.1E-02 (1:89) 

Ascent debris strikes Orbiter TPS leading to LOCV 
on orbit or entry 

None 

2 

20.4 

63.2 

5.3E-03 (1:190) 

MMOD strikes Orbiter on orbit leading to LOCV on 
orbit or entry 

None 

3 

10.2 

73.4 

2.7E-03 (1:380) 

SSME-induced SSME uncontained failure 

41:1400 

4 

3.1 

76.6 

8.2E-04 (1:1200) 

Crew error during entry 

None 

5 

2.5 

79.1 

6.5E-04 (1:1500) 

RSRM-induced RSRM catastrophic failure 

None 

6 

1.7 

80.8 

4.5E-04 (1:2200) 

Fuel supply failure to the OMS during orbit 

None 

7 

1.5 

82.2 

3. 8E-04 (1:2600) 

Orbiter flight software error results in catastrophic 
failure during ascent 

41:8500 

8 

1.4 

83.7 

3.7E-04 (1:2700) 

Debonding of TPS during ascent 

None 

9 

0.9 

84.5 

2.3E-04 (1:4300) 

SRB booster separation motor debris strikes Orbiter 
windows 

None 

10 

0.7 

85.2 

1.8E-04( 1:5500) 

Mechanisms failure 

None 


Table 12. STS-86 Top 10 Contributors to Risk 

Rank 

%of 

Total 

Cumulative 

Total 

Probability 
(l:n) ' 

Description 

Delta Risk 
from STS-77 

1 

70.8 

70.8 

3.4E-02 (1:30) 

Ascent debris strikes Orbiter TPS leading to LOCV 
on orbit or entry 

1 1:44 

2 

11.1 

81.9 

5.3E-03 (1:190) 

MMOD strikes Orbiter on orbit leading to LOCV on 
orbit or entry 

None 

3 

5.6 

87.5 

2.7E-03 (1:380) 

SSME-induced SSME uncontained failure 

None 

4 

1.7 

89.2 

8.2E-04 (1:1200) 

Crew error during entry 

None 

5 

1.4 

90.6 

6.5E-04 (1:1500) 

RSRM-induced RSRM catastrophic failure 

None 

6 

0.9 

91.5 

4.5E-04 (1:2200) 

Fuel supply failure to the OMS during orbit 

None 

7 

0.8 

92.3 

3.7E-04 (1:2700) 

Debonding of TPS during ascent 

None 

8 

0.7 

92.9 

3.2E-04 (1:3100) 

Orbiter flight software error results in catastrophic 
failure during ascent 

41:15000 

9 

0.5 

93.4 

2.3E-04 (1:4300) 

SRB booster separation motor debris strikes Orbiter 
windows 

None 

10 

0.4 

93.8 

1.9E-04 (1:5400) 

SSME-induced benign shutdown of the SSME 

41:22000 



20 

American Institute of Aeronautics and Astronautics 


21 

American Institute of Aeronautics and Astronautics 



Table 14. STS-103 Top 10 Contributors to Risk 

Rank 

%of 

Total 

Cumulative 

Total 

Probability 
(l:n) ' 

Description 

Delta Risk 
from STS-89 

1 

37.3 

37.3 

7.9E-03 (1:130) 

Ascent debris strikes Orbiter TPS leading to LOCV 
on orbit or entry 

(,1:38 

2 

25.2 

62.5 

5.3E-03 (1:190) 

MMOD strikes Orbiter on orbit leading to LOCV on 
orbit or entry 

None 

3 

6.9 

69.5 

1.5E-03 (1:680) 

SSME-induced SSME catastrophic failure 

None 

4 

3.9 

73.3 

8.2E-04 (1:1200) 

Crew error during entry 

None 

5 

3.1 

76.4 

6.5E-04 (1:1500) 

RSRM-induced RSRM catastrophic failure 

None 

6 

2.1 

78.6 

4.5E-04 (1:2200) 

Fuel supply failure to the OMS during orbit 

None 

7 

1.7 

80.3 

3.7E-04 (1:2700) 

Debonding of TPS during ascent 

None 

8 

1.4 

81.7 

3.0E-04 (1:3400) 

Orbiter flight software error results in catastrophic 
failure during ascent 

|1:48000 

9 

1.1 

82.8 

2.3E-04 (1:4300) 

SRB booster separation motor debris strikes Orbiter 
windows 

None 

10 

0.9 

83.7 

1.8E-04 (1:5500) 

Mechanisms failure 

None 
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Table 15. STS-110 Top 10 Contributors to Risk 

Rank 

%of 

Total 

Cumulative 

Total 

Probability 
(l:n) ' 

Description 

Delta Risk 
from STS- 
103 

1 

37.4 

37.4 

7.9E-03 (1:130) 

Ascent debris strikes Orbiter TPS leading to LOCV 
on orbit or entry 

None 

2 

25.3 

62.7 

5.3E-03 (1:190) 

MMOD strikes Orbiter on orbit leading to LOCV on 
orbit or entry 

None 

3 

7.8 

70.5 

1.6E-03 (1:610) 

SSME-induced SSME catastrophic failure 

11:5600 

4 

3.9 

74.4 

8.2E-04 (1:1200) 

Crew error during entry 

None 

5 

3.1 

77.5 

6.5E-04 (1:1500) 

RSRM-induced RSRM catastrophic failure 

None 

6 

2.1 

79.6 

4.5E-04 (1:2200) 

Fuel supply failure to the OMS 

None 

7 

1.7 

81.3 

3.7E-04 (1:2700) 

Debonding of TPS during ascent 

None 

8 

1.2 

82.6 

2.6E-04 (1:3800) 

Orbiter flight software error results in catastrophic 
failure during ascent 

|1:27000 

9 

0.9 

83.4 

1.8E-04 (1:5500) 

Mechanisms failure 

None 

10 

0.8 

84.3 

1.8E-04 (1:5600) 

ABS isolation valve leaks on Orbit overcooling the 
H20 loops and crew is unable to prevent rupture of 
the interchanger resulting in Loss of All Cooling 

None 
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Table 16. STS-114 Top 10 Contributors to Risk 

Rank 

%of 

Total 

Cumulative 

Total 

Probability 
(l:n) ' 

Description 

Delta Risk 
from STS- 
110 

1 

37.3 

37.3 

5.1E-03 (1:200) 

MMOD strikes Orbiter on orbit leading to LOCV on 
orbit or entry 

41:4700 

2 

12.1 

49.4 

1.7E-03 (1:600) 

Ascent debris strikes Orbiter TPS leading to LOCV 
on orbit or entry 

41:160 

3 

12.0 

61.4 

1.6E-03 (1:610) 

SSME-induced SSME catastrophic failure 

None 

4 

6.0 

67.3 

8.2E-04 (1:1200) 

Crew error during entry 

None 

5 

4.8 

72.1 

6.5E-04 (1:1500) 

RSRM-induced RSRM catastrophic failure 

None 

6 

1.6 

73.8 

2.3E-04 (1:4400) 

Orbiter flight software error results in catastrophic 
failure during ascent 

41:29000 

7 

1.3 

75.1 

1.8E-04 (1:5600) 

ABS isolation valve leaks on Orbit overcooling the 
H20 loops and crew is unable to prevent rupture of 
the interchanger resulting in Loss of All Cooling 

None 

8 

1.2 

76.3 

1.7E-04 (1:5900) 

SRB APU shaft seal fracture 

None 

9 

1.1 

77.4 

1.5E-04 (1:6500) 

SRB booster separation motor debris strikes Orbiter 
windows 

None 

10 

1.0 

78.4 

1.3E-04 (1:7600) 

FCV poppet failure causes rupture in the GH2 re- 
pressurization line 

None 
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